Book your demo Log in

Data Processing Agreement (DPA)

This Data Processing Agreement ("Agreement") is incorporated into the Contract for Services ("Principal Agreement") between Stormburst Studios Ltd, trading as OneUp Sales ("Processor", "OneUp Sales", or "we") and the customer who agreed to the Principal Agreement ("Controller" or "you"). This Agreement forms part of the Principal Agreement.

WHEREAS

(A) The Controller acts as a Data Controller.

(B) You wish to subcontract certain Services, which imply the processing of personal data, to OneUp Sales.

(C) The Parties seek to implement a data processing agreement that complies with the requirements of the current legal framework in relation to data processing and with the Regulation (EU) 2016/679 (General Data Protection Regulation) and the UK GDPR.

(D) The Parties wish to lay down their rights and obligations.

IT IS AGREED AS FOLLOWS:

1. Definitions and Interpretation

1.1 Unless otherwise defined herein, capitalized terms shall have the following meaning:

  • "Controller Personal Data": any Personal Data Processed by a Contracted Processor on behalf of you pursuant to or in connection with the Principal Agreement.
  • "Contracted Processor": a Subprocessor.
  • "Data Protection Laws": EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country (e.g., the UK Data Protection Act 2018 and the UK GDPR).
  • "EEA": the European Economic Area.
  • "EU Data Protection Laws": EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR.
  • "GDPR": EU General Data Protection Regulation 2016/679.
  • "Data Transfer": A transfer of Controller Personal Data from you to a Contracted Processor, or an onward transfer where such transfer would be prohibited by Data Protection Laws.
  • "Services": the provision of a Sales Performance Management platform (the "Platform") that integrates with your third-party systems (such as CRMs, timesheet systems, and VoIP providers) to process Controller Personal Data for the purposes of creating and displaying Key Performance Indicators (KPIs), analytics, leaderboards, and motivational campaigns. This includes the secure design, development, delivery, maintenance, and support of the Platform.
  • "Subprocessor": any person appointed by or on behalf of OneUp Sales to process Personal Data on behalf of you in connection with the Agreement.
  • "UK GDPR": has the meaning given to it in section 3(10) (as-supplemented by section 205(4)) of the Data Protection Act 2018.

1.2 The terms, "Commission", "Controller", "Data Subject", "Member State", "Personal Data", "Personal Data Breach", "Processing" and "Supervisory Authority" shall have the same meaning as in the GDPR or UK GDPR (as applicable).

2. Processing of Controller Personal Data

2.1 OneUp Sales shall:

  • 2.1.1 comply with all applicable Data Protection Laws in the Processing of Controller Personal Data; and
  • 2.1.2 not Process Controller Personal Data other than on your documented instructions.

2.2 You instruct OneUp Sales to process Controller Personal Data as detailed in Schedule A of this Agreement.

3. Processor Personnel

3.1 OneUp Sales shall take reasonable steps to ensure the reliability of any employee, agent or contractor who may have access to the Controller Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Controller Personal Data, and that all such individuals are subject to confidentiality undertakings or obligations.

4. Security

4.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, OneUp Sales shall in relation to the Controller Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.

4.2 In assessing the appropriate level of security, OneUp Sales shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.

5. Subprocessing

5.1 You provide a general authorization for OneUp Sales to appoint Subprocessors to process Controller Personal Data in connection with the Agreement. OneUp Sales shall maintain an up-to-date list of its Subprocessors, which shall be made available to you (available at trust.oneupsales.co.uk). OneUp Sales shall inform you of any intended changes concerning the addition or replacement of other Subprocessors, thereby giving you the opportunity to object to such changes.

6. Data Subject Rights

6.1 Taking into account the nature of the Processing, OneUp Sales shall assist you by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of your obligations, to respond to requests to exercise Data Subject rights under the Data Protection Laws (including Data Subject Access Requests or "DSARs"). OneUp Sales shall provide such assistance without undue delay to enable you to meet any timeframes stipulated by the Data Protection Laws.

  • 6.2.1 promptly notify you if it receives a request from a Data Subject under any Data Protection Law in respect of Controller Personal Data; and
  • 6.2.2 ensure that it does not respond to that request except on your documented instructions or as required by Applicable Laws.

7. Personal Data Breach

7.1 OneUp Sales shall notify you without undue delay upon OneUp Sales becoming aware of a Personal Data Breach affecting Controller Personal Data, providing you with sufficient information to allow you to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.

7.2 OneUp Sales shall co-operate with you and take reasonable commercial steps as directed by you to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

8. Data Protection Impact Assessment and Prior Consultation

8.1 OneUp Sales shall provide reasonable assistance to you with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which you reasonably consider to be required by Article 35 or 36 of the GDPR.

9. Deletion or return of Controller Personal Data

9.1 Subject to the data retention policies detailed in Schedule A, OneUp Sales shall promptly and in any event within 10 business days of the date of cessation of any Services involving the Processing of Controller Personal Data (the "Cessation Date"), delete and procure the deletion of all copies of those Controller Personal Data, unless applicable law requires storage.

9.2 OneUp Sales shall provide written certification to you that it has fully complied with this section 9 within 10 business days of the Cessation Date.

10. Audit rights

10.1 Subject to this section 10, OneUp Sales shall make available to you on request all information necessary to demonstrate compliance with this Agreement, and shall allow for and contribute to audits, including inspections, by you or an auditor mandated by you in relation to the Processing of the Controller Personal Data by the Contracted Processors.

11. Data Transfer

11.1 OneUp Sales shall not transfer, process, or store any Controller Personal Data outside the European Economic Area (EEA) or the United Kingdom (UK). All processing of Controller Personal Data by OneUp Sales and its Subprocessors shall take place within the EEA or the UK.

12. General Terms

12.1 Confidentiality. Each Party must keep this Agreement and information it receives about the other Party and its business in connection with this Agreement ("Confidential Information") confidential.

12.2 Notices. All notices and communications given under this Agreement must be in writing.

13. Governing Law and Jurisdiction

13.1 This Agreement is governed by the laws of England and Wales.

13.2 Any dispute arising in connection with this Agreement will be submitted to the exclusive jurisdiction of the courts of England and Wales.

Schedule A - Details of Processing

This Schedule A forms part of the Agreement.

A1. Subject-matter of the Processing

The processing of your performance and related data from your authorized systems to provide the Services.

A2. Nature and Purpose of the Processing

To securely integrate with your authorised third-party systems (e.g., CRMs, timesheet systems, VoIP providers) to access, retrieve, and process Controller Personal Data. The purpose is to transform this data into Key Performance Indicators (KPIs) and other metrics, which are then used to populate and power the Platform's features, including analytics, gamification, targets, and leaderboards for your use.

A3. Type of Personal Data

  • Contact and Identification Data: (e.g., name, email address, phone number).
  • Professional Data: (e.g., job title, company, team, department, business address).
  • Activity and Performance Data: (e.g., records of calls, emails, tasks, and other business activities; data on performance outcomes, targets, or other metrics; notes and communications related to these activities).

A4. Categories of Data Subjects

  • Your employees, agents, or contractors (e.g., sales staff, managers, support staff).
  • Your customers, clients, and business contacts (e.g., individuals at companies you work with).
  • Your candidates, prospects, leads, or other individuals whose data is stored in your systems.

A5. Duration of the Processing and Data Retention

  • OneUp Sales shall process Controller Personal Data for the duration of the Principal Agreement.
  • Following the termination of the Principal Agreement (the "Cessation Date"), OneUp Sales shall store the underlying data for as long as necessary to provide any final reporting and for a period not to exceed six (6) months after the Cessation Date.
  • OneUp Sales performs periodic reviews of data from terminated clients. As a matter of practice, this review occurs quarterly (e.g., at the start of Q3, data for clients who terminated in Q1 is scheduled for deletion). All Controller Personal Data will be securely deleted from our systems in accordance with this retention schedule.